Another session in tcpdump

Do you have any additional tips concerning how to use tcpdump and Tripwire to protect your Linux server.Post your comments

Let's look at something with more meat. Remember last time I showed a TCP session using Ethereal. Well, let's look at a similar session in tcpdump. For the purposes of this illustration, I've cut out a bunch of extraneous data.

For this particular packet dump, I used the following command: tcpdump -l -vvv -x -X > tcpdat & tail -f tcpdat. This command makes tcpdump give both Hex and ASCII output in a very verbose mode.

OK. We've connected to the remote system. Notice the last line. The fact that we're waiting for a login ID is clear. Now, understand that with telnet, every keystroke is sent to the remote system as a separate packet. With that in mind, look at the very last character of the next few packets. Note: some packets have been removed as they are echo packets sent from the server back to the client system.

Oh my! someone is trying to log in as root. First of all, you should never log in as root directly. It's safer to log in as yourself and then issue the su command to become root. Let's see what else we have.

We now know the password for the root account to this box is "homebase." We know that's the last character because of the next few packets which show the remote system information confirming a successful login.

With a little more experimentation and familiarity with tcpdump, you can do much more. Once again, if this same session used Secure Shell (SSh) instead, the attacker would not be able to capture any of this information, it would be garbage and of no use at all.

I hope I've showed you just how easy it is to look at packets on a network. There is much much more to it than what I've showed here, but this should give you a starting point for further learning.